Re: [Swan] cannot locate my private key for RSA Signature

Sat, 17 Feb 2018 18:23:13 -0800 

On Sat, 17 Feb 2018, klwilson...@comcast.net wrote:


I have just installed two Centos7 systems and am attempting to get libreswan 
setup.
Naively used DHCP for the hosts initially. Moved to static later on not sure if 
this is part of the issues I am having.

I ran the following on both machines:

Ipsec nssinit

Ipsec newhostkey

Then I configured the host-to-host.conf two endpoints with there IP and keys 
that :


Did you use ipsec showhostkey --list and ipsec showhostkey --left/--right to 
add the
proper public key's in your configuration?


003 “host-to-host” #4: unable to locate my private key for RSA Signature
224 “host-to-host” #4: STATE_MAIN_I2: AUTHENTICATION_FAILED to 192.168.89.6:500


Looks like your rightrsasigkey= and leftrsasigkey= are not properly
configured.


conn host-to-host
        left=192.168.89.7
        leftid="@k1"
        leftrsasigkey=[keyid AwEAAexla]


Do you have actual [brackets] there? It should not look like that.


        rightrsasigkey=[keyid AwEAAejt9]



000 List of RSA Public Keys:
000 
000 Feb 17 12:21:16 2018, 3488 RSA Key AwEAAejt9 (no private key), until --- -- 
--:--:-- ---- ok (expires never)
000        ID_FQDN '@k2'
000 Feb 17 12:21:16 2018, 3120 RSA Key AwEAAexla (no private key), until --- -- 
--:--:-- ---- ok (expires never)
000        ID_FQDN '@k1'


You seem to have no private keys for those public keys?

Did you reinit your nss database after grabbing the public keys?

the order to do things should be:

- ipsec stop
- delete unknown nss db: rm /etc/ipsec.d/*db
- start a new nss db: ipsec initnss - generate a new key: ipsec newhostkey 

Once you have done that on both sides, you can get the public keys on
both ends to put in the configuration file.

- ipsec showhostkey --list  (look at the ckaid)
- ipsec showhostkey --ckaid XXXX --left  (where XXXX is the ckaid from
  the previous command)
- put the output of that in the config either as leftckaid=/rightckaid=
  or leftrsasigkey= / rightrsasigkey=

See also 
https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan#Using_raw_RSA_keys_with_NSS

Paul
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to